Image: Natee Meepian / Shutterstock
Microsoft is warning that hackers are using open source software and bogus social media accounts to dupe software engineers and IT support staff with fake job offers that in reality lead to malware attacks.
A phishing-happy hacking crew linked to North Korea’s armed forces has been using trojanized open-source apps and LinkedIn recruitment bait to hit tech industry employees, according to threat analysts from Microsoft’s advanced persistent threat (APT) research group.
The Microsoft Threat Intelligence Center (MSTIC, pronounced ‘Mystic’) has seen the group using PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and the muPDF/Subliminal Recording software installer for these attack since late April, according to MSTIC’s blogpost.
The hacking group has targeted employees in media, defense and aerospace, and IT services in the US, UK, India, and Russia. The group was also behind the massive attack on Sony Pictures Entertainment in 2014.
Also known as Lazarus, and tracked by Microsoft as ZINC, Google Cloud’s Mandiant threat analysts saw the group spear-phishing targets in the tech and media sectors with bogus job offers in July, using WhatsApp to share a trojanized instance of PuTTY.
“Microsoft researchers have observed spear-phishing as a primary tactic of ZINC actors, but they have also been observed using strategic website compromises and social engineering across social media to achieve their objectives,” MSTIC notes.
“ZINC targets employees of companies it’s attempting to infiltrate and seeks to coerce these individuals into installing seemingly benign programs or opening weaponized documents that contain malicious macros. Targeted attacks have also been carried out against security researchers over Twitter and LinkedIn.”
The group engages in espionage, data theft, hacking crypto exchanges and banking systems, and wrecking networks. It is also tracked as Labyrinth Chollima and Black Artemis.
A security team at Microsoft-owned LinkedIn also saw these actors creating fake profiles to impersonate recruiters from companies in the technology, defense, and media entertainment sectors.
Targets were guided off LinkedIn to WhatsApp to share malware, and included IT and IT support workers at companies in the US, UK and India, according to Microsoft. Google’s Threat Analysis Group (TAG) found the group using Twitter, Discord, YouTube, Telegram, Keybase and email with similar tactics last January.
US authorities warned US and European firms to beware of IT contractors applying for support and developer roles last year.
LinkedIn’s Threat Prevention and Defense team terminated the bogus accounts.
“ZINC primarily targeted engineers and technical support professionals working at media and information technology companies located in the UK, India, and the US,” MSTIC warned.
“Targets received outreach tailored to their profession or background and were encouraged to apply for an open position at one of several legitimate companies. In accordance with their policies, for accounts identified in these attacks, LinkedIn quickly terminated any accounts associated with inauthentic or fraudulent behavior.”